Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531684 (CVE-2014-9218) - <dev-db/phpmyadmin-{4.0.10.8,4.1.14.8,4.2.13.1}: multiple vulnerabilities (CVE-2014-{9218,9219})
Summary: <dev-db/phpmyadmin-{4.0.10.8,4.1.14.8,4.2.13.1}: multiple vulnerabilities (CV...
Status: RESOLVED FIXED
Alias: CVE-2014-9218
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-04 15:27 UTC by Agostino Sarubbo
Modified: 2015-03-16 03:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 22:35:00 UTC
CVE-2014-9219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9219):
  Cross-site scripting (XSS) vulnerability in the redirection feature in
  url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to
  inject arbitrary web script or HTML via the url parameter.

CVE-2014-9218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9218):
  libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before
  4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a
  denial of service (resource consumption) via a long password.
Comment 2 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-01-05 22:04:32 UTC
22:02 < irker677> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Security bump - fixes bug 531684.

New versions added to the tree:
phpmyadmin-4.1.14.8.ebuild
phpmyadmin-4.2.13.1.ebuild
phpmyadmin-4.0.10.7.ebuild

@security:
It should be OK to stabilize the new versions as soon as possible.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2015-01-15 21:37:43 UTC
Arches, please test and mark stable:

=phpmyadmin-4.1.14.8
=phpmyadmin-4.2.13.1

Target Keywords : "alpha amd64 hppa ppc ppc64 spark x86"

Thank you!
Comment 4 Jeroen Roovers gentoo-dev 2015-01-16 07:54:12 UTC
(In reply to Yury German from comment #3)
> Arches, please test and mark stable:
> 
> =phpmyadmin-4.1.14.8
> =phpmyadmin-4.2.13.1

Please post full atoms.
Comment 5 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-01-16 12:03:35 UTC
(In reply to Jeroen Roovers from comment #4)
> (In reply to Yury German from comment #3)
> > Arches, please test and mark stable:
> > 
> > =phpmyadmin-4.1.14.8
> > =phpmyadmin-4.2.13.1
> 
> Please post full atoms.

Here they are:

=dev-db/phpmyadmin-4.1.14.8
=dev-db/phpmyadmin-4.2.13.1
Comment 6 Andreas Schürch gentoo-dev 2015-01-16 18:07:37 UTC
x86 done
Comment 7 Jeroen Roovers gentoo-dev 2015-01-16 21:05:17 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2015-01-21 10:32:25 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-01-31 10:33:38 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-16 10:21:31 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-18 08:50:38 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-24 11:00:00 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-24 22:32:07 UTC
Arches, Thank you for your work.

Security Please Vote.
First Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Kristian Fiskerstrand gentoo-dev Security 2015-02-24 22:35:14 UTC
GLSA Vote: No
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-07 07:02:09 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 16 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-03-14 15:38:38 UTC
15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions.

Vulnerable versions cleaned.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-16 03:51:44 UTC
Maintainer(s), Thank you for you for cleanup.